Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Fortune
Fortune
Alice Hearing

TSA's no-fly list was exposed by a "bored" hacker

A Transportation Security Administration (TSA) officer works at a security checkpoint (Credit: Andrew Harrer—Bloomberg via Getty Images)

The TSA’s no-fly list, containing the identities of known or suspected terrorists, has been discovered sitting on the public internet by a hacker who stumbled upon it when they were bored. 

Consisting of 1.5 million entries with names and birthdates, the document was found within a computer server hosted by regional Ohio-based airline CommuteAir under a text file plainly titled “No-Fly.csv.” 

“TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners,” said TSA in a statement

The Swiss hacker, who goes by maia arson crimew online, said she had been using Shodan at the time, a search-engine used by those in the cybersecurity community to locate servers exposed to the open internet. 

She notified CommuteAir, and published the details of her discovery in a blog post titled “"how to completely own an airline in 3 easy steps," describing the revelation as a “jackpot.” 

“I had owned them completely in less than a day, with pretty much no skill required besides the patience to sift through hundreds of shodan/zoomeye results,” she added. 

CommuteAir confirmed the authenticity of the document to tech news outlet The Daily Dot, which first reported on the data exposure, but said that the list dates back to 2019.

They also confirmed that the server did contain the personal details of around 900 employees, including names, birth dates and the last four digits of social security numbers, but it did not have any customer information, according to the results of their continued investigation. 

The airline added that the server was a “development server” used for testing purposes, and that it has now been taken offline.

Exposed data

The list reportedly contains the details of convicted Russian arms dealer Viktor Bout and 16 other aliases, who was recently sent back to Russia by the Biden administration in a prisoner exchange for WNBA star Brittney Griner. 

It also includes several suspected members of the IRA, and even the names of children, according to the hacker who stated that one such entry’s birth date would make them eight years old. 

The hacker has pointed out, alongside other researchers, that the list contains a large percentage of Arabic or Middle Eastern names. 

“It’s just crazy to me how big that Terrorism Screening Database is and yet there is still very clear trends towards almost exclusively Arabic and Russian sounding names throughout the million entries,” she said. 

The server also contains significant details of roughly 900 CommuteAir employees including names, birth dates and the last four digits of their social security numbers. 

Hacker known to authorities

This is not the first time that hacker maia arson crimew has made some waves. Aged 23, from Switzerland, she has previously gone by the name Tillie Kottmann and described herself as a cybersecurity researcher, according to a report by CNN. 

She was allegedly involved in the breach of U.S. security camera maker Verkada in 2021, accessing live feeds of thousands of cameras inside hospitals and prisons. 

In the same year, a person with the same name was indicted by a U.S. grand jury for taking part in a conspiracy hacking into multiple companies and government organizations as well as posting stolen data online. 

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.